This is what dmesg says: a lot of: denied RWX mprotect of <anonymous mapping> by /lib/ld-2.14.1.so[ld-linux.so.2:9247] uid/euid:0/0 gid/egid:0/0, parent /usr/bin/ldd[ldd:9245] uid/euid:0/0 gid/egid:0/0 Portage 2.1.10.44 (hardened/linux/x86, gcc-4.6.2, glibc-2.14.1-r2, 2.6.39-hardened i686) ================================================================= System uname: Linux-2.6.39-hardened-i686-Intel-R-_Pentium-R-_4_CPU_2.00GHz-with-gentoo-2.0.3 Timestamp of tree: Tue, 31 Jan 2012 18:00:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.7.2-r3 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.6.2 sys-devel/gcc-config: 1.4.1-r1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo x-portage ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium4 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium4 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps y" FEATURES="assume-digests binpkg-logs collision-protect distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="it_IT.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu" LINGUAS="it" MAKEOPTS="-j1 -s" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi apic bash-completion berkdb bzip2 caps cli consolekit cracklib crypt custom-cflags custom-optimization cxx dbus dri extras gdbm gpm gtk hardened iconv jpeg jpeg2k lm_sensors mmx modules mudflap ncurses nptl nptlonly nsplugin opengl openmp pam pax_kernel pcre pic png policykit pppd readline session sse sse2 ssl svg symlink sysfs tcpd threads tiff udev urandom x86 xorg zlib" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LINGUAS="it" NGINX_MODULES_HTTP="autoindex gzip limit_req limit_zone" USERLAND="GNU" VIDEO_CARDS="intel" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I am unable to reproduce. Even upgrading to the following toolchain and recompiling world, I hit nothing. Of course mprotect is on in PaX. I also don't have enough information about how you system might have gotten into this state. Can you give steps to reproduce? Portage 2.1.10.49 (hardened/linux/x86, gcc-4.6.2, glibc-2.14.1-r2, 3.3.1-hardened-r1 i686) ================================================================= System uname: Linux-3.3.1-hardened-r1-i686-QEMU_Virtual_CPU_version_0.15.0-with-gentoo-2.0.3 Timestamp of tree: Fri, 13 Apr 2012 07:00:01 +0000 app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.1.4-r3, 3.2.2 dev-util/cmake: 2.8.6-r4 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.0.3 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.68 sys-devel/automake: 1.11.1 sys-devel/binutils: 2.21.1-r1 sys-devel/gcc: 4.5.3-r2, 4.6.2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82-r1 sys-kernel/linux-headers: 3.1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo overlay-dev-blueness ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=i686 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="ftp://192.168.100.9/pub/gentoo" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/blueness" SYNC="rsync://192.168.100.7/portage" USE="acl berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv modules mudflap ncurses nls nptl nptlonly openmp pam pax_kernel pcre pic pppd readline session ssl sysfs tcpd urandom x86 xorg xtpax zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i740 intel mach64 mga neomagic nsc nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa via vmware nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
(In reply to comment #1) > Can you give steps to reproduce? There is nothing of special to do, just launch emerge and compile.
Because of bug #370087, I also tried with -j1 and -s in my make options --- I don't see how that could make a difference but it might have been some bug in make 3.82. Nonetheless, I am still not repoducing this. Something else is broken on your test system. Can you start from the stage3 tarball at MIRROR/pub/gentoo/releases/x86/autobuilds/current-stage3-i686-hardened/stage3-i686-hardened-20111206.tar.bz2 and see if you can hit it from a fresh start? And if you do, publish the steps you took (history would be good enough) Otherwise there's nothing to debug.
I can confirm this behaviour with glibc-2.15-r2. I am not sure about the conditions and actions that can reproduce this bug in 100% of cases, but a machine running 24/7 without almost any user interaction has the message posted in the first comment several times per day, but sometimes none in a week. Is there a way to collect info where these messages come from in an automated manner, because in my case it is from some daemon(s) running in background?
Created attachment 326850 [details] emerge --info
I guess I found more or less effective way to reproduce this bug: run `revdep-rebuild -i`. During this command I get 6 grsec alerts.
(In reply to comment #6) > I guess I found more or less effective way to reproduce this bug: run > `revdep-rebuild -i`. During this command I get 6 grsec alerts. Zorry and I are trying to diagnose this. As far as we know there are no rwx mappings in glibc, so we are puzzled. Can you try to see if this is related to an rwx mapping in libffi. Please try this python -c "import ctypes" and let us know if that dies with an RWX mprotect ... message.
(In reply to comment #7) > Can you try to see if this is related > to an rwx mapping in libffi. Please try this > > python -c "import ctypes" > > and let us know if that dies with an RWX mprotect ... message. No problems here with that test.
(In reply to comment #8) > (In reply to comment #7) > > Can you try to see if this is related > > to an rwx mapping in libffi. Please try this > > > > python -c "import ctypes" > > > > and let us know if that dies with an RWX mprotect ... message. > > No problems here with that test. Same here.
(In reply to comment #9) > (In reply to comment #8) > > (In reply to comment #7) > > > Can you try to see if this is related > > > to an rwx mapping in libffi. Please try this > > > > > > python -c "import ctypes" > > > > > > and let us know if that dies with an RWX mprotect ... message. > > > > No problems here with that test. > > Same here. Okay we eliminated that one. We'll everything will pull in ld.so, so let's see if we can get an strace. Try something like /bin/ls and see if that throws a denied RWX mmap. If so then run strace -f /bin/ls If ls doesn't do it, poke around for some other small program which does. Some process(es) is doing this, you just have to catch one in the act so I can see where the rwx mmap is coming from.
Reports comming from revdep-rebuild are normal since it calls ldd (which in turn calls ld.so). If you want to disable the warning check your kernel config, the option should be CONFIG_GRKERNSEC_RWXMAP_LOG. The reason why these messages happen is because in order to follow the library hierarchy ld.so tries doing the mmaps as it would normally do, but since the program being called is ld.so itself and not the executable being traced the PaX kernel loads the markings for ld.so instead of the ones on the executable whose libraries are being tracked. Blueness, Zorry I'd leave it up to you either closing the bug (I wouldn't be surprised if ld just fell back to a non RWX mmap mode when the mmap fails), trying to patch ld.so when printing out library dependencies (maybe a bit complicated taking into account how firendly upstream tends to be towards this kind of patches), or pax-marking ld.so (REALLY bad idea since then it can be used to bypass RWX restrictions on programs by calling ld.so directly).
I have a minimal case in # strace /lib32/ld-2.15.so --verify /usr/bin/burnK6 execve("/lib32/ld-2.15.so", ["/lib32/ld-2.15.so", "--verify", "/usr/bin/burnK6"], [/* 69 vars */]) = 0 [ Process PID=23392 runs in 32 bit mode. ] brk(0) = 0xf0061760 open("/usr/bin/burnK6", O_RDONLY|O_CLOEXEC) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\2\0\3\0\1\0\0\0\200\200\4\0104\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=524, ...}) = 0 mmap2(0x8048000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x8048000 mprotect(0xfffffffff9534000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = -1 EACCES (Permission denied) close(3) = 0 exit_group(1) = ? +++ exited with 1 +++ Apparently ld.so will try to loa the whole ELF file to verify it but never give it control of the program flow. My theory is that since burnK6 hasn't any gnu_stack header to mark the stack R_W ld tries to set the stack to RWX no matter what happens.
(In reply to comment #10) > If ls doesn't do it, poke around for some other small program which does. > Some process(es) is doing this, you just have to catch one in the act so I > can see where the rwx mmap is coming from. I was unable to reproduce this warning with files from /bin, yet I tried around 20-30 binaries.
(In reply to comment #11) > Reports comming from revdep-rebuild are normal since it calls ldd (which in > turn calls ld.so). > > If you want to disable the warning check your kernel config, the option > should be CONFIG_GRKERNSEC_RWXMAP_LOG. > > The reason why these messages happen is because in order to follow the > library hierarchy ld.so tries doing the mmaps as it would normally do, but > since the program being called is ld.so itself and not the executable being > traced the PaX kernel loads the markings for ld.so instead of the ones on > the executable whose libraries are being tracked. > > Blueness, Zorry I'd leave it up to you either closing the bug (I wouldn't be > surprised if ld just fell back to a non RWX mmap mode when the mmap fails), > trying to patch ld.so when printing out library dependencies (maybe a bit > complicated taking into account how firendly upstream tends to be towards > this kind of patches), or pax-marking ld.so (REALLY bad idea since then it > can be used to bypass RWX restrictions on programs by calling ld.so > directly). Thank you for a thorough explanation. I guess my warnings were only results of revdep-rebuild work.
I don't see these warnings anymore.
I bouncing this off of up stream. I have never seen this on a glibc system, but I have on uclibc. Here's an example. It appears to happen more during boot than during running. This makes me suspect that it occurs when a library is first lifted into ram by the loader that some rwx mmap is occurring. Even so, we need to nail this. If its harmless, then make the warnings go away and if its not harmless, fix it. d64-uClibc.so.[11413]: segfault at c1b52004 ip 0000031fc1b580f6 sp 000003b8986142b0 error 4 in ld64-uClibc-0.9.33.2.so[31fc1b52000+8000] ld64-uClibc.so.[11459]: segfault at e52c8004 ip 000002ebe52ce0f6 sp 00000392aa998720 error 4 in ld64-uClibc-0.9.33.2.so[2ebe52c8000+8000] ld64-uClibc.so.[11460]: segfault at c7aa2004 ip 0000029fc7aa80f6 sp 000003baedd03520 error 4 in ld64-uClibc-0.9.33.2.so[29fc7aa2000+8000] ld64-uClibc.so.[11461]: segfault at 73c49004 ip 0000028f73c4f0f6 sp 000003aaef589aa0 error 4 in ld64-uClibc-0.9.33.2.so[28f73c49000+8000] ld64-uClibc.so.[11462]: segfault at 35e63004 ip 0000033c35e690f6 sp 000003de829d7910 error 4 in ld64-uClibc-0.9.33.2.so[33c35e63000+8000] ld64-uClibc.so.[11463]: segfault at c1d6f004 ip 000002bcc1d750f6 sp 000003b7771e2770 error 4 in ld64-uClibc-0.9.33.2.so[2bcc1d6f000+8000] ld64-uClibc.so.[11469]: segfault at f2c2004 ip 0000037f0f2c80f6 sp 000003f5e9231fa0 error 4 in ld64-uClibc-0.9.33.2.so[37f0f2c2000+8000] ld64-uClibc.so.[11470]: segfault at 436a4004 ip 0000027a436aa0f6 sp 000003aab1626b20 error 4 in ld64-uClibc-0.9.33.2.so[27a436a4000+8000] ld64-uClibc.so.[11471]: segfault at 759eb004 ip 000002f3759f10f6 sp 000003fe15e91e60 error 4 in ld64-uClibc-0.9.33.2.so[2f3759eb000+8000] ld64-uClibc.so.[11472]: segfault at 8e0c1004 ip 0000021f8e0c70f6 sp 0000038070cbc180 error 4 in ld64-uClibc-0.9.33.2.so[21f8e0c1000+8000]
glibc-2.14 is long gone.
